Russian online payment site linked to MacDefender malware scam

After a raid on Russian payment giant Chronopay's offices, authorities have found evidence linking the company to the MacDefender fake anti-virus scam that targeted Mac users.

Security expert Brian Krebs reported on his blog that Russian cops have discovered "mountains of evidence" that Chronopay employees were providing technical and customer support for bogus anti-virus software, including MacDefender.

Police discovered "Website support credentials and the call records of 1-800 numbers used to operate the support centers," Krebs wrote. Evidence was also found linking the company to Rx-Promotion, an online program that worked with spammers to promote sites selling counterfeit prescription drugs.

Chronopay has a 45 percent share of the Russian e-commerce market and had denied involvement with the scam in May after Krebs leveled accusations against the company. Co-founder Pavel Vrublevsky was arrested in June over allegations that he hired a hacker to attack his company's rival.

If allegations against ChronoPay are true then we should expect significant decrease of revenues received by cyber criminals in the appropriate segments of black market in the near future, said Maxim Suhanov, a specialist at computer-forensics firm Group-IB.

MacDefender-related document discovered at the Chronopay office

A recent analysis of the fake anti-virus distribution networks found that scammers were using highly profitable pay-per-install programs to deploy the malware. PPI networks reportedly charge as little as $750 for 10,000 installs.

If you do the math, its almost like youre printing money, researcher Damon McCoy said. You could pay the PPI networks $75 to get 1,000 fake AV installs. And if you had an average conversion rate of one in 50, making between $25-$35 on each install, that works out to about 20 sales  or conservatively $500 per one thousand installs."

Users first discovered the MacDefender malicious software in late April. Using a method known as "SEO poisoning," the malware automatically downloaded itself onto users' computers and posed as an anti-virus software in an attempt to trick users into providing credit card information. Security firms categorized the threat as "low" because the users were still required to agree to install the software and provide a password.

However, in late May, a variant of the malicious software was discovered that installed itself without administrator approval. Apple issued a security update to Mac OS X meant to detect and disable the malware.

Security researchers have applauded Apple for its recent security efforts, especially in Mac OS X Lion, while also warning that the Mac platform's increased visibility may open it up to increased threats from hackers.

Anyway, I hope that the criminals get thrown in a dirty old cell and that each of them gets a cellmate named Igor, who happens to be doing life in prison for molestation, incest, rape, murder, theft, arson and child porn.

It says:
Name of the channel: Mac Defender
Phone number: 1-800-xxx-xxxx, written inside the software itself
Channel of technology and financial support [services] for mac defender. (conduct tech. support and refunds).
If there are any complaints or dissatisfaction give the number of NewBuy Company